HomeIntelligenceBrief
BREACH BRIEF🟠 High ThreatIntel

DRILLAPP Backdoor Exploits Microsoft Edge Debugging to Spy on Ukrainian Entities

A state‑linked espionage campaign using the DRILLAPP backdoor leverages Microsoft Edge’s remote‑debugging feature to infiltrate Ukrainian government and defense networks, underscoring new tooling‑abuse risks for third‑party risk managers.

LiveThreat™ Intelligence · 📅 March 16, 2026· 📰 thehackernews.com
🟠
Severity
High
TI
Type
ThreatIntel
🎯
Confidence
High
🏢
Affected
2 sector(s)
Actions
3 recommended
📰
Source
thehackernews.com

DRILLAPP Backdoor Exploits Microsoft Edge Debugging to Spy on Ukrainian Entities

What Happened – A new espionage‑focused malware family dubbed “DRILLAPP” was observed in February 2026 delivering a stealth backdoor to Ukrainian government and defense‑related systems. The payload abuses Microsoft Edge’s remote‑debugging interface to execute code without triggering traditional endpoint detections.

Why It Matters for TPRM

  • State‑linked actors are leveraging legitimate browser tooling to bypass security controls, raising the bar for detection.
  • The campaign targets critical public‑sector assets, highlighting supply‑chain and tooling risk for vendors providing browsers or remote‑debug services.
  • Persistent backdoors can exfiltrate classified data, creating downstream compliance and reputational liabilities for third‑party providers.

Who Is Affected – Government & public‑sector agencies (defense, intelligence, critical infrastructure) in Ukraine; any organization that allows remote‑debugging of Microsoft Edge on employee workstations.

Recommended Actions

  • Audit and restrict Microsoft Edge remote‑debugging ports (9222/TCP) on all endpoints.
  • Deploy EDR rules that detect anomalous Edge debugging commands and DLL injection patterns.
  • Review third‑party contracts for browser‑related services and ensure they include secure‑by‑design clauses.

Technical Notes – The backdoor is delivered via a malicious PowerShell script that spawns Edge with --remote-debugging-port=9222, then injects a custom JavaScript payload to load a native DLL. The DLL establishes C2 over HTTPS and harvests clipboard, file system, and credential data. No public CVE is referenced; the technique exploits a legitimate feature rather than a software flaw. Source: The Hacker News

📰 Original Source
https://thehackernews.com/2026/03/drillapp-backdoor-targets-ukraine.html

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · PrivacyOps · CookiePLUS

A privacy incident is a question about your consent record.

CookiePLUS and Verisq AI Trust Operations keep consent, DSAR, and data-handling evidence continuously ready — so a data-exposure event finds you prepared, not scrambling.

See how Verisq AI Trust Operations handles privacy →